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Information Commissioner's foreword 


This is my second annual report as the United Kingdom's Information 
Commissioner. 2017-18 has been a year of increasing activity and 
challenging actions, some unexpected, for the office. 


The office would not have been successful in dealing with the numerous 
challenges we faced in 2017-18 without the capability and the commitment 
of the staff and I would like to acknowledge them. Whether it be our 
outreach staff in Cardiff, Belfast and Edinburgh or our staff in the main 
office in Wilmslow - the successes of the year are your successes. 


I would also acknowledge the ongoing support and guidance of my 
Management Board, both executive and non-executive members. 
Their willingness to advise and guide me on a wide range of matters 
is invaluable. 


At the time of my previous annual report the office was heavily involved in 
preparations for the upcoming General Data Protection Regulation (GDPR), 
working on guidance with our EU counterparts and identifying how our own 
processes needed to change to take account of the GDPR. 


In 2017-18 this activity has upped a few gears and involved many more 
staff. We have produced well received guidance on the new law for 
organisations, and have also continued a successful change management 
process to ensure our internal processes and workflows are up to the 
demands placed upon us by GDPR. 


All this preparation for the new law has taken place against the backdrop 
of continued increases in demand for ICO adjudication on data protection 
and freedom of information casework. I am heartened to report that we 
have managed to close more cases than last year. This is truly impressive 
considering the same staff working on cases have also had to upskill their 
knowledge to take account of legislative changes and provide in-house 
training to new starters at the ICO. The ability of our staff to handle this 
increased workload demonstrates our ability to adjust and expand to 
increased demand for our regulatory services. This should reassure UK 
citizens that the ICO will be up to the challenge of handling their concerns 
well into the future even if caseloads rise as our projections indicate. 


The ICO’s pay levels have fallen out of step with the rest of the public 
sector so I made a personal effort, supported by senior leadership 
colleagues and others, to make a compelling case to improve pay at the 
ICO. The recommendations I made were accepted by Government and the 
three-year pay flexibility now afforded to the ICO will ensure that we can 
retain our high performing staff while recruiting new talent. 


We continue to take decisive action on nuisance calls and the misuse of 
personal data, an area of particular aggravation for people. This included a 
record £400,000 fine for TalkTalk following an ICO investigation into their 
failure to implement basic cyber security measures which led to a data 
breach as well as actions against a number of charities. 
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We commenced an investigation involving over 30 organisations, including 
Facebook and Cambridge Analytica, into their use of personal data and 
analytics for political campaigns. This investigation is ongoing. 


Our helpline and advice service expanded in line with increased demand 

for our services, offering a frontline ICO presence to both people and 
organisations. In the lead up to GDPR taking effect, we saw significant 
increases in demand from organisations who want to ensure they are 
compliant. We've responded to this demand by introducing a new helpline 
specifically tailored to small businesses and their particular concerns. We've 
also made it easier for organisations to report data breaches to us by 
putting a telephone-based data breach reporting service in place. 


For organisations fully engaged in their preparations for GDPR, we have 
greatly expanded our Guide to GDPR to move towards making it our core 
piece of guidance on data protection. Our audit staff have been able to 
advise on good practice principles such as record keeping during their busy 
year conducting audits, including the very important follow-up audits of 
organisations who have already received an initial assessment from the ICO. 


We recognised that individuals must be taken along with us in the change 
to GDPR. We prepared an education and awareness-raising campaign to 
ensure people are aware of their rights under the new data protection 
regime. The ‘Your Data Matters’ campaign has been designed to work as a 
series of adaptable messages which organisations can tailor to their own 
customer base to inform them of their data rights. In addition the ICO will 
promote these key messages to individuals through various promotional 
channels. It is only through informed, empowered individuals exercising 
their information rights that we will see real and sustained compliance 
across the UK. 


Our policy staff provided sound advice on government proposals during the 
passage of the Data Protection Act 2018. The Act implement the parts of 
the GDPR left to UK discretion in addition to applying data protection law 
to areas beyond the scope of the GDPR. We provided regular published 
updates to Parliamentarians as the bill progressed through Parliament, 
highlighting areas of concern for the ICO. 


This is an important time for privacy rights. A new legal framework in 
our immediate future, increased public interest in their data protection 
and access rights. Transparency and accountability must be paramount, 
otherwise it will be impossible to build trust in the way that personal 
information is obtained, used and shared online. 


I believe the data and evidence in this report indicates the ICO is the 
proactive digital regulator the UK needs for the ongoing challenges of 
upholding information rights in the digital world. 


xA 


Elizabeth Denham 
10 July 2018 
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Our mission, vision and strategic goals 


Our Mission 


To uphold information rights for the UK public in the 
digital age. 


Our Vision 


To increase the confidence that the UK public have 
in organisations that process personal data and those 
which are responsible for making public information 
available. 


Strategic goals 


1. To increase the public’s trust and confidence in how 
data is used and made available. 


2. Improve standards of information rights practice 
through clear, inspiring and targeted engagement 
and influence. 


3. Maintain and develop influence within the global 
information rights regulatory community. 


4. Stay relevant, provide excellent public service and 
keep abreast of evolving technology. 


5. Enforce the laws we help shape and oversee. 
and from April 2018 


6. To be an effective and knowledgeable regulator for 
cyber related privacy issues. 
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The legislation we regulate 


The Data Protection Act 1998 (DPA 1998) was the data protection 
legislation the ICO regulated during 2017-18. It gave citizens important 
rights, including the right to know what information was held about them 
and the right to correct information that was wrong. It also helped protect 
the interests of individuals by obliging organisations to manage the 
personal information they held in an appropriate way. 


As of 25 May 2018 the new Data Protection Act 2018 (DPA 2018) and the 
GDPR both commenced, superseding the duties and obligations under the 
1998 Act. 


The Freedom of Information Act 2000 (FOIA) gives people a general 
right of access to information held by most public authorities. Aimed at 
promoting a culture of openness and accountability across the public sector, 
it enables a better understanding of how public authorities carry out their 
duties, why they make the decisions they do and how they spend public 
money. 


The Privacy and Electronic Communications Regulations 2003 
regulate the use of electronic communications for the purpose of unsolicited 
marketing to individuals and organisations, including the use of cookies. 


The Environmental Information Regulations 2004 provide an 
additional means of access to environmental information. The Regulations 
cover more organisations than the FOIA, including some private sector 
bodies, and have fewer exemptions. 


The Infrastructure for Spatial Information in the European 
Community Regulations 2009 (INSPIRE) give the Information 
Commissioner enforcement powers in relation to the pro-active provision by 
public authorities of geographical or location based information. 


The Re-use of Public Sector Information Regulations 2015 (RPSI) 
gives the public the right to request the re-use of public sector information 
and details how public bodies can charge for re-use and license the 
information. The ICO deals with complaints about how public bodies have 
dealt with requests to re-use information. 


The Investigatory Powers Act 2016 (IPA) imposes duties on 
communications service providers in respect of the retention of 
communications data for third party investigatory purposes where 

they have been issued with a notice from the Secretary of State. The 
Information Commissioner has a duty to audit the security, integrity and 
destruction of that retained data. 
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The Electronic Identification and Trust Services for Electronic 
Regulations 2016 (eIDAS) sets out rules for the security and integrity 

of trust services including electronic signatures, seals, time stamps and 
website authentication certificates. The ICO has a supervisory role towards 
organisations providing these trust services, including being able to grant 
qualified status to providers who demonstrate compliance with certain 
areas of the regulations and the ability to take enforcement action. 


The Network and Information Systems Regulations 2018, (NIS), are 

derived from the European NIS Directive which establishes a common level 
of security for network and information systems. These systems play a vital 
role in the economy and wider society, and NIS aims to address the threats 
posed to them from a range of areas, most notably cyber-attacks. 
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Our major achievements and work 
this year 


Goal 1: To increase the public's trust and confidence in how data is used 
and made available 


Publicising GDPR and data protection 


To help ensure people know their rights under GDPR, in May 2017 we 
launched a publicity campaign entitled GDPR One Year To Go which 
promoted key data protection messages on social media, and developed a 
further campaign, Your Data Matters, which was launched at our April 2018 
Data Protection Practitioners Conference. This campaign allows us to offer 
off the shelf communications materials on individual rights to organisations 
who are keen to promote these rights to their customers. 


During the year we also worked hard to make the ICO website (and hence 
our guidance) more visible when people search for data protection. Our 
Guide to GDPR has had two and a half million views. This is our core 
guidance on the new legislation and includes information on the lawful 
bases for processing, accountability and documentation requirements and 
individual rights. 


We also published new content on legitimate interests and Data Protection 
Impact Assessments, an interactive tool to help organisations identify their 
lawful basis for processing personal data, a Guide to the Law Enforcement 
Directive and an introduction to the Data Protection Bill which subsequently 
received Royal Assent on 23 May 2018. 


Assistance for small and medium sized enterprises (SMEs) and 
other similar organisations 


In recognition of the particular problems those running small businesses 
and charities faced when preparing for GDPR we have run a series of radio 
adverts aimed at raising GDPR awareness in the sector, and, in November 
2017, we launched a dedicated SME advice line. 


We also published guidance to help SMEs understand their new 
data protection obligations under GDPR, and a new version of our 
self-assessment toolkit. This is also aimed at SMEs and includes 
GDPR checklists. 


Additionally we developed frequently asked questions and their answers for 
small organisations in the health, charity, local government and education 
sectors, and supported a range of stakeholders and representative bodies 
as they have produced their own GDPR guidance. These included the Direct 
Marketing Association, the National Health Service (NHS), the Health 
Research Authority and the Department for Education. 
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European GDPR guidance 


In fulfilling our role as an information rights regulator we contributed to a 
number of Article 29 Working Party guidelines explaining the GDPR, led the 
work on automated decision making and personal data breach notification, 
and helped draft guidelines on consent, administrative fines, transparency, 
data portability, the Law Enforcement Directive and international transfers 
between public bodies for administrative cooperation purposes. 


Finally we led on work on certification and accreditation and provided 
detailed input to the opinion on the proposed e-Privacy Regulation. 


Our audits 


To improve information rights compliance in both organisations and in 
specific sectors, during the year we undertook 26 audits of which 18 
related to data protection compliance and eight to compliance with PECR, 
providing advice and recommendations. We also undertook 24 follow-up 
audits checking that recommendations we had made previously had been 
acted upon. In addition we undertook 43 information risk reviews, which 
focussed on the higher education sector and on breach reporting in local 
and central government, and 56 SME advisory visits. 


Fundraising under GDPR 


Charities have been concerned about how best to comply with the GDPR 
when fundraising. We have spoken at a range of events, including ones 
arranged by the National Council of Volunteer Organisations and at the 
Houses of Parliament, aimed at supporting charities prepare for GDPR. 
We also provided detailed input on guidance produced by the Fundraising 
Regulator and the Institute of Fundraising on GDPR and wealth screening. 


Other guidance 


We amended our guidance on international transfers to reflect 
developments related to the EU-US Privacy Shield and we reflected 
significant new case law on the concept of disproportionate effort in 
our Subject Access Code of Practice. We also published our new Guide 
to eIDAS. 
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Goal 2: Improve standards of information rights practice through clear, 
inspiring and targeted engagement and influence 


Key note speeches 


During 2017-18 the Commissioner delivered speeches on information rights 
and on specific aspects of the law and policy. These amplify the ICO's key 
messages and are further refined for specific audiences by ICO staff at 
other events. The main Commissioner's speeches included: 


e The National Police Chiefs’ Council Information Practitioner event, on 
policing and data protection. 


e Privacy Laws and Business annual conference, on promoting privacy with 
innovation within the law. 


e Archives and Records Association annual conference, on a duty to 
document in the public sector. 


e CBI Cyber Security Conference, on the link between data protection and 
cyber security. 


e Institute of Directors Digital Summit, on innovation in the commercial 
sector and data protection. 


e TechUK Data Ethics Summit, on ethics in data use innovation. 


e Association of Chief Executives and Public Chairs’ Forum, on executive's 
responsibility for information rights compliance. 


e Privacy and Security Conference Canada, on a comparative approach to 
data protection and data flows in the UK and Canada. 


e Direct Marketing Association's Data Protection 2018 event, on the ICO's 
preparations for GDPR. 


e Centre for Research into Information, Surveillance and Privacy annual 
lecture, on the varied roles of the Information Commissioner. 


e University College London Department of Information Studies 2018 
annual Jenkinson Lecture, on transparency and FOI. 


e Alan Turing Institute - The GDPR and Beyond: Privacy, Transparency and 
the Law - event, on developments in artificial intelligence and how they 
can comply with data protection. 


Select Committees and consultations 


Reflecting the high parliamentary and media interest in our work we 
provided oral evidence to the following Select Committees: 


e The House of Lords Committee on Artificial Intelligence. 

e The Home Affairs Committee on Post Brexit Law Enforcement 
Cooperation. 

e The House of Commons Science and Technology Committee on 
algorithms in decision making. 

e The House of Lords Communications Committee on the advertising 
industry. 
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e The House of Commons Department for Digital, Culture, Media and Sport 
(DCMS) Committee on fake news. 


e The Public Administration and Constitutional Affairs Committee's inquiry 
on Sourcing public services: lessons learned from the collapse of 
Carillion. 


In addition we presented informally to other Select Committees and All 
Party Parliamentary Groups (APPGs) including the House of Lords Science 
and Technology Committee, the House of Commons DCMS Committee, 
the APPG for Artificial Intelligence, the APPG for Data Analytics and the 
Parliamentary Internet, Communications and Technology Forum. We also 
provided written evidence to a wide range of other parliamentary groups. 


The passage of the Data Protection Bill through Parliament 


The Data Protection Bill entered Parliament in September 2017. It included 
the UK's national implementing measures and derogations for the GDPR 
and applied these provisions to areas not covered by European Union law, 
along with measures to implement the European Union Law Enforcement 
Directive and covering domestic law enforcement processing and the 
intelligence services. The Bill received Royal Assent in May 2018. 


We dedicated significant resources to the drafting of the Bill and to making 
amendments during its parliamentary passage. This included amendments 
where we believed the law needed strengthening such as around our 
investigative powers. 


We also helped Parliamentarians understand the Bill and our views on 
where changes were necessary; providing briefings at key points, giving 
evidence to the Common's Public Bill Committee and launching a webpage 
so that our views on the Bill were readily accessible. We also engaged 

with others on how the Bill's provisions would work in practice. And we 
participated in the Cross Government Implementation Group to ensure that 
government departments received timely and consistent advice and that 
we were alert to issues that needed our attention. 


Age verification when accessing pornography 


The British Board of Film Classification consulted on draft guidance about 
its role as the age verification regulator for access to pornography. We 
provided input on the data protection issues that pornography providers 
must consider when implementing age verification mechanisms. 


Political campaigning in the June 2017 General Election 


Before the June 2017 General Election we updated our guidance on political 
campaigning to reflect the increasing use of data analytics. To help ensure 

the political parties knew about the guidance we held a briefing session for 
the main political parties. 


In addition we worked with House of Commons authorities and Government 
to provide advice to Members of Parliament on the implications for them of 
GDPR, and advice to political parties in preparation for GDPR through one 
to one liaison and a group briefing session. 
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Work with civil society groups 


To increase our understanding of information rights concerns and to 
introduce the ICO grants and contributions programme, we continued 
to develop a constructive relationship with civil society groups including 
holding discussions on the implications of, the then, Data Protection Bill. 


Data sharing codes of practice under the Digital Economy Act 


We engaged with Government on the data sharing codes and regulations 
arising from the Digital Economy Act 2017. In response to the public 
consultation, we welcomed the inclusion of a publicly available register of 
information sharing agreements. 


Verify identity assurance programme 


We worked with Government on its digital transformation programme, 

including the verify identity assurance programme which is being rolled out 
across a range of public services. We participated in the related privacy and 
consumer group that included a number of civil society and other interests. 


Grenfell Tower tragedy 


During the autumn of 2017 the Commissioner received ten complaints 
about the Royal Borough of Kensington and Chelsea and its failure to 
respond to information requests relating to the Grenfell Tower disaster. 
Following investigation the Commissioner issued seven decision notices 
requiring the Council to issue responses. 


We also raised awareness of the importance of proactively releasing 
fire safety assessment information and are considering including such 
information in publication scheme requirements. 


Automatic Number Plate Recognition (ANPR) 


The police use ANPR technology to capture and retain a record of every 
vehicle that drives past an ANPR camera. The retention period for this data 
is two years. 


Along with the Surveillance Camera Commissioner and others we have 
flagged up concerns about this retention period. Research has shown 

that the data has value for up to a year but keeping it longer is difficult 
to justify. As a result the police have now agreed to reduce the retention 
period to one year. This will result in the deletion of billions of records and 
means a more proportionate approach to retention will be in place. 
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Goal 3: Maintain and develop influence within the global information 
rights regulatory community. 


International Strategy 


To protect the UK public's personal data in a digital global environment the 
ICO needs to co-operate internationally. To support this we have developed 
an International Strategy for 2017 to 2021. The strategy sets out the main 
challenges faced by us and the structure, resourcing, engagement and 
evaluation needed to allow us to meet the strategy. 


In taking the strategy forward the ICO has hosted visits from South Africa, 
Singapore, Nigeria and Turkey. 


The ICO also hosted the International Conference of Information 
Commissioners in Manchester, which focused on freedom of information law 
and public institutions” transparency. And the Information Commissioner 
took a leading role at the 39th edition of the International Conference 

of Data Protection and Privacy Commissioners. She was elected to the 
Executive Committee and the ICO won the People's Choice award for its 
work on Artificial Intelligence and Big Data. 


Participation in global networks 


To allow us to develop the relationships and understanding we need to co- 
operate internationally, the ICO participates in a range of global networks. 


In 2017 the first Global Privacy Enforcement Network Practitioner Event 
was held in Manchester. This brought together enforcement staff from 
privacy enforcement authorities across the world, as well as other relevant 
regulatory bodies, to discuss practical approaches to enforcement and 
other common themes and issues. 


The ICO also led the 2017 Global Privacy Enforcement Network Sweep, 
with 24 regulators from around the world looking at the control users have 
over their personal information. The privacy notices, communications and 
practices of 455 worldwide websites and apps were assessed. The ICO 
reviewed 30 websites in the retail, finance and travel sectors, and found 
that privacy notices were often inadequate. 


In October 2017 members of the Unsolicited Communications Enforcement 
Network met in Canada alongside members of the Messaging, Malware and 
Mobile Anti-Abuse Working Group. The ICO provided updates on our own 
intelligence gathering and enforcement activity. 


Finally we jointly led the first Unsolicited Communications Network Sweep, 
working with the Canadian Radio-television and Telecommunications 
Commission. Nine regulatory and enforcement agencies from five countries 
participated, visiting 902 websites and examining over 6,000 consumer 
complaints relating to affiliate marketing (an arrangement allowing a 
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company to generate business by allowing affiliated organisations to 
promote their products and services). Findings included a lack of self- 
regulation and of consent for sending electronic communications, and 
misleading advertising being used by affiliates. 


European engagement 


In addition to European GDPR guidance, we were also involved in 
developing the rules of procedure for the European Data Protection Board, 
the communications system for the Board and core content of the Board's 
website. 


Goal 4 — Stay relevant, provide excellent public service and keep abreast 
of evolving technology. 


Resource and Infrastructure Strategy 


To help us change so that we can regulate the GDPR and the DPA 2018 
from 25 May 2018, and to help us meet our Information Rights Strategic 
Plan, we developed a Resource and Infrastructure Strategic Plan which runs 
to September 2021. The plan covers: 


e Recruitment. 

e IT services. 

e Funding. 

e Contact services. 

e Governance processes. 


Technology Strategy 


We also developed a Technology Strategy, again running up to 2021. This 
will help us develop the technical knowledge and understanding of the ICO 
and covers: 


e Educating staff on technology issues. 


e Guidance for organisations and information to the public on data 
protection risks arising from technology. 


e Research into data protection risks. 


e Engaging with other regulators and international networks on 
technological issues. 


Grants programme 

We launched our first ever research grants scheme in June 2017, receiving 
117 applications. The scheme is designed to support innovative research 
and solutions focused on privacy and data protection issues. 


After appraising the applications we announced funding for four 
independent research projects on: 


e Development of a digital tool to help individuals protect and enforce their 
data protection rights, particularly in the insurance and banking sectors. 
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e Development of an online tool for the public and organisations to 
evaluate the risk of re-identification of pseudonymised data. 


e Development of a tool for healthcare professionals to share medical 
information securely to support research (as part of the Great North Care 
Record). 


e A project looking at children's information rights and privacy, with the 
intention of it leading to the production of an online toolkit for children to 
increase their awareness and competency around online privacy. 


Grant recipients presented an overview of their projects at the recent ICO 
Data Protection Practitioner Conference. 


Technology Reference Panel 


In March 2018 the ICO published its Technology Strategy. As part of the 
strategy we will reconstitute our Technology Reference Panel to ensure we 
receive expert advice on, and strategic insight into, emerging technologies, 
and to develop a new stakeholder engagement map focussed on 
technology. To assist with this we will seek to engage with: 


e Professional bodies focused on technology. 
e Academic and public sector technology networks. 


e University departments and industry bodies which are also focussed on 
technology. 


Artificial intelligence technology 


We are working with the Alan Turing Institute on artificial intelligence 

to develop a framework to help explain how decisions using artificial 
intelligence are made. Work in this area will include the appointment of 
a two year post doctorial post in artificial intelligence and one of the four 
annual meetings of the Technology Reference Panel will also focus on 
artificial intelligence. 


Goal 5: Enforce the laws we help shape and oversee. 


Civil monetary penalties 


This year we issued the largest number, and amount, of civil monetary 
penalties since getting the power to do so. 


In relation to breaches of the DPA 1998, we issued eleven monetary 
penalty notices totalling £1,290k for serious security failures. Of these, 
a penalty notice of £400k (the joint highest ever) was served against 
Carphone Warehouse following a serious cyber-attack which placed 
customer and some employee data at risk. 


Eleven monetary penalties were also issued in April 2017 to various 
charities for unlawfully processing donors’ personal data, and two monetary 
penalties were issued to data-broking organisations in connection with 
nuisance calls and messages. 
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In respect of breaches of PECR, twenty six penalties were issued totalling 
£3,280k; half of which were issued for unlawful live and automated 
marketing calls, including a penalty of £400k against Keurboom 
Communications for making nearly 100 million such calls. Ten enforcement 
notices were also issued and we executed three search warrants over the 
course of the year at locations in Nottingham, Stockport and Glasgow. 


We also issued fourteen preliminary enforcement notices and six 
enforcement notices requiring data controllers to comply with requests 
made by individuals under the DPA 1998 for their own personal data. 


Criminal investigations 


During 2017-18 we launched 19 prosecutions which resulted in 18 
convictions for unlawfully obtaining data under Section 55 of the DPA 1998. 
One trial, under Section 56 of the DPA 1998 for a possible enforced subject 
access offence, was discontinued. 


Six cautions were issued for other Section 55 of the DPA 1998 offences. 


We ran two major investigations into the illegal acquisition of data in the 
auto-motive repair industry, executing eleven search warrants in relation 
to these and other criminal investigations. And we are running a criminal 
investigation into alleged breaches of Section 55 of the DPA 1998 by 
corporate clients believed responsible for tasking private investigators to 
unlawfully obtain personal data. The ICO launched the investigation in 
September 2013 following a referral from the National Crime Agency. 


Following our investigation a jury found all defendants guilty on 15 of the 
18 counts. Sentencing took place in January 2018. Woodgate € Clark, 
along with a director, a senior employee and two private investigators, 
were ordered to pay a combined £185k in fines, along with a total of 
£82.5k in costs. 


Self reported breaches 


The number of self-reported data breaches has increased by 29% from 
2,447 last year to 3,156 this year. Under GDPR, from 25 May 2018 it is a 
requirement for organisations to report serious data breaches to the ICO 
and awareness of this could be a factor in the increase. Cyber incidents 
also make up part of the increase, with 361 such cases reported this year. 


The sector that reported the largest number of breaches was health, 
making up 37% of all cases. Breach reporting is already mandatory in this 
sector. 


Freedom of information monitoring 

We have engaged with a number of public authorities about their handling 
of responses to freedom of information requests. Following this, progress 
has been made on the timeliness of those bodies” responses. 
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Telephone Preference Service (TPS) 


In January 2017 the Commissioner was assigned statutory responsibility 
for the TPS. This is the UK’s opt-out register for people who do not wish to 
receive live marketing calls. Over the course of the year we integrated the 
TPS complaint reporting systems into our own - enabling quicker receipt 
and assessment of intelligence for our enforcement teams. We also started 
work to remove invalid telephone numbers from the register, ensuring that 
the TPS remains efficient and fit for purpose. 
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Financial performance summary 


Grant in aid 


Freedom of information expenditure continued to be funded by grant in aid. 
The grant in aid for 2017-18 was £5,195k (2016-17: £3,750k). 


£1,400k of the grant in aid was to enable the ICO to prepare, during the 
2017-18 year, for implementation of the GDPR in May 2018. The additional 
funding will be paid back during 2018-19 from data protection fee 

income received. 


No grant in aid was carried forward in 2017-18 (2016-17: nil). 


Fees 


During 2017-18 data protection related work was financed by fees collected 
from data controllers who had to notify their processing of personal data 
under the DPA 1998. The annual fee was £35 which applied to charities 
and small organisations with fewer than 250 employees. A higher fee of 
£500 was applicable for larger data controllers defined as those with an 
annual turnover of £25.9 million or more and employing more than 250 
people. For public authorities employing more than 250 people the fee was 
also £500. 


Fees collected in the year totalled £21,300k (2016-17: £19,729k); an 
8% increase on the previous year. 

Annual expenditure 

The total comprehensive expenditure for the year was £5,941k 
(2016-17: £4,504k). 

Financial instruments 


Details of our approach and exposure to financial risk are set out in note 8 
to the financial statements. 
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Operational performance summary 


This year has been an intense time for our operational teams who have 
done well to meet unprecedented demand and complexity. 


The following figures reflect some significant increases in output across 
the organisation; output for freedom of information casework is up almost 
12%, data protection complaints is up 23% and self-reported breaches 

up 30%. However, as expected, intake has also risen significantly as 
organisations began their preparation for GDPR implementation in May 
2018 and individuals became more aware of their information rights and 
sought to exercise them. 


In most services we have been able to keep pace with increased work 
levels and caseloads were manageable. We have also ended 2017-18 well 
placed to deal with the new data protection legislation with much of the 
needed GDPR operational methodology in place and a number of key items 
of GDPR procedure and approach completed. 


However, the main impact has been on our front line customer services. 
Calls to our helpline are up almost 25%, with a significant amount of that 
increase arising after Christmas when we introduced a new phone service 
dedicated to helping small organisations prepare for GDPR; we received 
over 85,000 calls in quarter 4 compared to 56,000 calls in quarter 3. And 
requests for written advice also rose by 40% compared to last year. 


We are keeping a careful eye on the situation as we gain experience of 
GDPR and as we recruit extra capacity for our operational teams. 


Performance report: Operational performance summary 25 


© Performance Report Annual Report 2017/18 


Operational Performance 


Advice services 
Calls to the helpline 


Calls received 


2016-17 189,942 


2017-18 235,672 


Calls answered 


2016-17 
2017-18 


Call answer rates 
2016/17 2017/18 
Percentage answered 95% 80% 
Average wait time 538 3m 23s 


Live Chat 


Chats requested 


2016-17 
2017-18 


Chats answered 


2016-17 
2017-18 


Chat answer rates 

2016/17 2017/18 
Percentage answered 97% 95% 
Average wait time AS 38 
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Written Advice 


Received 


Finished 


Caseload 


31 March 2017 


31 March 2018 


Age distribution of finished advice work 


2016-17 2017-18 


7 days or less 75% 38% 


14 days or less 88% 50% 


30 days or less 98% 60% 


Profile of advice service 


e 85% of our enquiries are about the DPA, 9% PECR, 4% FOIA and 2% are 
hybrid. 


Approximately 68% of our enquires are from members of the public and 
32% are from those we regulate. 


3% of the enquiries received are sent to us in error. 
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Data protection concerns 


Received 


Finished 


Caseload 
31 March 2017 2,809 
31 March 2018 2,522 


Age distribution of caseload as at 31 March 2018 


70% 
60% 
50% 
40% 
30% 
20% 
10% 

0% 


—0.7% —1.0%- 


0-30 days 31-90 days 91-180 days 181-365 days 366+ days 
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Age distribution of finished concerns 


2016-17 2017-18 
30 days or less 32% 
90 days or less 90% 
180 days or less 98.5% 
60% 
50% 
40% 
30% 
sake 11.6% 
10% 


0.6% 0.1% 0.05% 


0-30 days 31-90 days 91-180 days 181-270 days 271-364 days Over 1 year 


Outcomes of concerns finished 


No action for DC* 

DC action required 

Concern to be raised with DC 
Compliance advice given to DC 
Response needed from DC 
General advice given to DC 
Not DPA 

DC outside UK 


Improvement Action Plan agreed 


0 1000 2000 3000 4000 5000 6000 
*Data Controller 


DC action required, compliance advice given to DC, general advice given to 
the DC and action plan agreed, are all outcomes that result in us explaining 
to organisations how to improve their information rights practice in some 
way. These outcomes equal 35% of the total for the year. 


Concerns finished with the following outcomes — order made, no order 
made, enforcement notice pursued, criminal investigation pursued, 
undertaking served and Civil Monetary Penalty pursued represented 0.1% 
of the total. 
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Areas generating most concerns where sector is 
specified 

2016-17 2017-18 
General business 
Health 
Local government 


Lenders 


Policing and criminal 


Central Government 
Education 

Other individuals 
Internet 

Telcoms 


Freedom of information 
FOI complaint casework 


Complaints received 


Complaints answered 


Caseload 


31 March 2017 


31 March 2018 


Reasons generating most concerns where nature is 
specified 
2016-17 2017-18 
Subject access 
Disclosure of data 
Inaccurrate data 
Right to prevent processing 
Security 
Fair processing 
Use of data 
Retention of data 


Excessive / Irrelevant data 


Obtaining data 
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Age distribution of caseload as at 31 March 2018 


35% 
30% 
25% 
20% 
15% 
10% 
5% 
0% 


0-30 days 31-90 days 91-180 days 181-365 days 271-365 days 366+ days 


Age distribution of finished complaint casework 


2016-17 2017-18 


30 days or less 45% 38% 
90 days or less 
180 days or less 


365 days or less 99.1% 


40% 
35% 
30% 
25% 
20% 
15% 
10% 

5% 

0% 


0-30 days 31-90 days 91-180 days 181-270 days 271-365 days Over 1 year 


Areas generating most concerns where sector is Outcome of a complaint casework where a decision 
specified notice is served 


2016-17 2017-18 2016-17 2017-18 
Local government Total served 1329 1401 
Central government 


Police & criminal justice Upheld 232 (24.3%) 420 (30.0%) 


Health Not upheld 787 (59.2%) 742 (53.0%) 
Education Partially upheld 219 (16.5%) 239 (17.1%) 
Private companies 
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Outcomes of complaint casework finished 


Ml 16-17 

M i7-18 
Complaint made too early 
(no internal review) 
Decision notice served 
Informally resolved 
Ineligible complaint 
Complaint not progressed 

0 200 400 600 800 1000 1200 1400 1600 1800 2000 


Appeals to the Information Rights Tribunal 


Received 


2016-17 


2017-18 


Finished 
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Open caseload as at 31 March 2018 


First tier Tribunal 


Upper Tribunal 


Court of Appeal 


High Court - Judicial review applications 


0 50 100 150 200 250 


Outcomes of Appeals finished in 2017-18 


Dismissed 


Withdrawn 


Part Allowed, 
including Consent order* 


Allowed 
Struck out 


Other** 


0 20 40 60 80 100 120 140 


* Part allowed appeals fall into two broad categories: first, those appeals 
where the Commissioner has made a decision on a number of exemptions 
or exceptions and the Tribunal disagrees with her decision in relation to 
some but not all of those conclusions, and therefore overturns parts, but 
not all, of her findings. 


Second, are those cases where an exemption or exception has not been 
raised with the Commissioner during her investigation but is raised for the 
first time on appeal. Whilst not considered in the Commissioner's Decision 
notice, the Tribunal will on occasion find such late pleaded exemptions or 
exceptions compelling, and may again find that the original decision was 
sound, but that part of the appeal should be allowed in light of the novel 
arguments raised on appeal. 


** Other is made up of appeal refused, appeal not valid and no right of 
appeal. 
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PECR Concerns 


Concerns reported 


167,018 


Cookie concerns report 


Nature of telesales and SPAM texts reported 


SPAM texts 
13% 


Telesales call 


where I heard 
Telesales call a recorded voice 
O, 
where I spoke 38% 
to a person 
49% 


Self reported data protection incidents 
Received 

2016-17 

2017-18 


Finished 
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Outcomes of self reported incidents finished 


E 16-17 
E 17-18 


No action 
for DC* 


DC action 
required 


Improvement 
Action plan agreed 


Civil Monetary 
Penalty persued 


0 200 400 600 800 1000 1200 1400 1600 1800 2000 


*Data Controller 


Self reported incidents finished with the following outcomes — undertaking 
served, not DPA and DC outside UK represented 2.1% of the total. 


Outcomes of self reported incidents finished 


Health 


11% Education 


9% Local government 
9% General business 
5% Solicitors/Barristers 

4% Charities 

3% Policing & criminal records 

3% Housing 

2% Financial advisors 


2% Lenders 
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Information access 


Received 


2016-17 
2017-18 


2.6% 


Finished 


Requests by legislation 


Hybrid FOIA 
314 706 
DPA 
465 


Response times 


2016-17 2017-18 


Time for compliance 


Average time (days) 2016-17 2017-18 
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Request outcomes 


Ml 16-17 
H i7-18 


Information provided 
in full 


Information partially 
provided 


Information 
witheld 


Information 
not held 


Further clarification 
needed 


Misguided 
request 


Withdrawn 


0% 100 200 300 400 500 600 


Internal reviews 
Reviews completed Response times 
2016-17 2017-18 


Completed in 20 days 45 56 
Average days 16 16 


Review outcomes 


H 16-17 
M 7-18 


Not upheld 


Partially upheld 


3 
O 


2 


Upheld 


o 


10 20 30 40 50 60 
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Sustainability 


Overall strategy 


The ICO’s carbon footprint is generated primarily from heating and 
lighting ICO accommodation, powering our IT infrastructure and from 
business travel. 


We make as full a use of technology as possible to reduce electricity and 
gas consumption; for example by purchasing low energy use IT, fitting 
new more efficient boilers and installing motion detecting lights. And as we 
move our IT services to the Cloud we are reducing our reliance on servers 
which will help reduce energy consumption further. 


We also aim to ensure appropriate and proportionate communications tools 
are in place so that we can engage with stakeholders through relevant 
channels. As a growing organisation there are increasing business travel 
demands, but, where appropriate, we seek to communicate electronically 
rather than have to travel for face to face meetings. 


Performance 


With implementation of the GDPR in May 2018 and preparation for the 
enactment of the Data Protection Bill at the same time, the ICO has been 
very heavily involved in stakeholder engagement during the last year. This 
has led to higher levels of travel than previously which is reflected in the 
increase in travel emissions. Other changes are harder to explain but the 
increase in the use of electricity is possibly due to increased numbers of 
staff, and hence increased use of computers and lighting. 


Biodiversity action planning 

The ICO is not responsible for any outside space and therefore does not 
have a biodiversity plan. 

Sustainable procurement 


We ask those tendering for contracts to provide their sustainability 
statements and policies as standard in most procurement exercises. 
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Green house gas emissions 


Total tonnes CO, 
2014-15 

Scope 1 (gas) 9 
Scope 2 (electricity) 238 
Scope 3 (travel) 67 
Total emissions 314 
Tonnes CO2 per full time equivalent staffing 
AS A ZOIR TD IO 
A 1 (GAS) 02 
Scope 2 (ele 65 
Scope 3 (travel) enna: LD 
Total 0.86 


Waste minimisation and management and finite resource consumption 


Total waste, water and paper consumption 


A E OS 
Waste / tonnes cc 2 
„Water consumption / M3 nin ad 
A4 paper / reams 3,540 


Waste, water and paper consumption per full time equivalent staffing 


2014-15 
Waste / tonnes 0,08 
Mater consumption/m 7B 
A4 paper / reams l l 9.74 l 


2015-16 2016-17 2017-18 
eae Feet AM. A 
A -A EA 
a o EE on 

273 217 306 

2015-16 2016-17 2017-18 

2015-16 2016-17 2017-18 
o i A Ce a < AE E A E a 
ia I a A 
eats E a a R o 

2015-16 2016-17 2017-18 
salar aaa ie ; Ta 
m PEINE TEN : re dl : a. 
chanted! es a 
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Details of ICO performance: 


Total Travel 
2014-15 2015-16 2016-17 2017-18 
a AEE L A E E E E TEE A EE T E A E S S E E E eS ARO AEE E PA 
pa A Po PA ET A o posa eS oa a 
oe Re eee ere er eer NT nee ener nn etry OO Bere ds PT ETEA Scr aes es 
“iones CO, PoR AQ Fr O st EA A z ATES : dica = aaa 7 y 
Rail 

ps E E A T EE E A E A ne ede eee TTE E a EET ae eee TA 
pe. A o AOS oo ds e o er 
a ee a ee E: PA 7 a 
a P EEE E A OA RR TE 
E Ee ATOA AEETI > lOs ES ts E n 
a ont a S a A > ER ee | 
ee LEE E isis teh E E E E TEE E E T eer a A eer ar eee ERE 
[eles a oa E Ad 


Travel summary 


Tonnes CO, 67 94 86 127 
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Travel per full time equivalent staffing 


2014-15 2015-16 2016-17 2017-18 


Tonnes CO, 0.09 0.07 0.07 0.07 
Flights 


Tonnes CO, 0.08 0.15 0.13 0.16 


Travel summary 


Cost £ 611.60 580.05 609.42 727.20 
Tonnes CO, 0.19 0.23 0.21 0.25 
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Total utilities 


2014-15 2015-16 2016-17 2017-18 
T AA a AEE E EA aaa 
a ET A EE EA EN eee ne ert rea items A tne a PO TT RY as ane ARETES PANA 
id > PES oo rer ete i ne 
A alas N ne l a AT CO a : E 
Electricity 


Tonnes CO, 238 160 123 172 


Utility summary 


Cost £ 68,734 68,660 51,844 66,671 
Tonnes CO, 247 178 130 178 


42 Performance report: Sustainability 


Annual Report 2017/18 Performance Report [A] 


Utilities per full time equivalent staffing 


2014-15 2015-16 2016-17 2017-18 
e ae 
ca E eee = eee ae res 
a ene A a 
oo ee a ee ee 

Electricity 


Tonnes CO, 0.65 0.39 0.30 0.33 


Utility summary 


Tonnes CO, 0.68 0.44 0.32 0.35 


Notes: 
e Information on waste is provided by relevant contractors. 


e Travel costs and mileage are collated from central records and from staff 
directly. 


e Figures may not add due to rounding. 
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Going concern 


The accounts are prepared on a going concern basis as a non-trading entity 
continuing to provide statutory public sector services. 


Grant in aid has already been included in the DCMS's estimate for 2018-19 
and the Digital Economy Act 2017 allows the ICO to fund data protection 
related work through fees paid by data controllers from 25 May 2018 
onwards when the DPA 2018 and the GDPR came into force. 


There is no reason to believe that future sponsorship and parliamentary 
approval will not be forthcoming. 


Elizabeth Denham 
10 July 2018 
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Directors’ report 


Directorships and other significant interests held by Board members that may 
conflict with their management responsibilities 


Membership of the ICO Management Board, along with further information, 
is detailed in the Governance Statement. 


A register of interests is maintained for the Information Commissioner and 
her Management Board. It is published on the Commissioner's website 

at www.ico.org.uk. Declarations of interest in any of the items coming 

to a particular meeting are also asked for at Board and Audit Committee 
meetings. 


Employee involvement and well being 


The ICO has a policy of co-operation and consultation with recognised trade 
unions over matters affecting staff. Senior managers meet regularly with 
trade unions to discuss issues of interest, and staff involvement in the work 
of the office is actively encouraged as part of the day-to-day process of line 
management. 


Equal opportunities and diversity 


We aim to ensure that all members of society have awareness of, and 
access to, their information rights and receive appropriate protection if 
their rights are infringed. To do this we have sought to include equality and 
diversity in our daily work. 


Our Equality and Diversity Committee and Senior Leadership Team oversee 
our efforts to provide an increasingly accessible service. 


We provide our staff with a work environment and IT systems which help 
meet a range of needs; including accessible offices and IT systems, flexible 
and part-time working (to help work-life balance) and the provision of 
occupational health services. 


We also aim to recruit from a range of backgrounds and take the applicant 
anonymous approach when assessing candidates for employment. 
The community 


This year, ICO staff chose to support the charity Dementia UK and raised 
just over £2,000 for the charity. 


Pension liabilities 

Details on the treatment of pension liabilities are set out in note 3 to the 
financial statements. 

Personal data incidents 

There have been no substantive security incidents during 2017-18. 
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Public sector information holders 


The ICO has complied with the cost allocation and charging requirements 
set out in HM Treasury guidance. 


Annual accounts and audit 


The annual accounts have been prepared in a form directed by the 
Secretary of State with the consent of the Treasury in accordance with 
paragraph (10)(1)(b) of Schedule 5 to the DPA 1998. 


Under paragraph (10)(2) of Schedule 5 to the DPA 1998 the Comptroller 
and Auditor General was appointed auditor to the Information 
Commissioner for the financial year 2017-18. The cost of audit services 
for this year was £30k (2016-17: £30k). No other assurance or advisory 
services were provided. 


So far as the Accounting Officer is aware there is no relevant audit 
information of which the Comptroller and Auditor General is unaware, and 
the Accounting Officer has taken all the steps that she ought to have taken 
to make herself aware of relevant audit information and to establish that 
the Comptroller and Auditor General is aware of that information. 


Directors’ statement 
Each of the persons who are directors at the time this report is approved: 


(a) so far as the director is aware there is no relevant audit information of 
which the auditor is unaware; and 


(b) the director has taken all the steps they ought to have taken as 
a director in order to make themselves aware of any relevant 
audit information and to establish that the auditor is aware of that 
information. 
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Statement of the Information 
Commissioner’s responsibilities 


Under paragraph 10(1)(b) of Schedule 5 to the DPA 1998 the Secretary of 
State directed the Information Commissioner to prepare for each financial 
year a statement of accounts in the form and on the basis set out in the 
Accounts Direction. The accounts are prepared on an accruals basis and 
must give a true and fair view of the state of affairs of the Information 
Commissioner at the year end and of her income and expenditure, 
recognised gains and losses and cash flows for the financial year. 


In preparing the accounts the Information Commissioner is required to 
comply with the requirements of the Government Financial reporting 
Manual (FReM) and in particular to: 


e observe the Accounts Direction issued by the Secretary of State with the 
approval of the Treasury, including the relevant accounting and disclosure 
requirements, and apply suitable accounting policies on a consistent 
basis; 

e make judgements and estimates on a reasonable basis; 


e state whether applicable accounting standards as set out in the FReM 
have been followed, and disclose and explain any material departures in 
the financial statements; and 


e prepare the financial statements on the going concern basis, unless it is 
inappropriate to presume that the Information Commissioner's Office will 
continue in operation. 


The Accounting Officer of the DCMS has designated the Information 
Commissioner as Accounting Officer for her Office. The responsibilities 

of an Accounting Officer, including responsibility for the propriety and 
regularity of the public finances and for keeping of proper records and for 
safeguarding the Information Commissioner's assets, are set out in the 
Non-Departmental Public Bodies” Accounting Officer Memorandum, issued 
by the Treasury and published in Managing Public Money. 


The Accounting Officer confirms that, as far as she is aware, there is no 
relevant audit information of which the entity's auditors are unaware, and 
the Accounting Officer has taken all the steps that she ought to have taken 
to make herself aware of any relevant audit information and to establish 
that the entity's auditors are aware of that information. 


The Accounting Officer confirms that the annual report and accounts as 
a whole is fair, balanced and understandable and that she takes personal 
responsibility for the annual report and accounts and the judgments 
required for determining that it is fair, balanced and understandable. 
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Governance statement 


Introduction 


The Information Commissioner is a corporation sole as established under 
the DPA 1998. Under the terms of the EU Data Protection Directive (for 
2017-18) and from 25 May 2018 the GDPR, the Information Commissioner 
and her office must be completely independent of Government. I am 
accountable to Parliament for the exercise of my statutory functions and 
the independence of the ICO is enshrined in legislation. 


Relationship with the DCMS 


The DCMS is the sponsoring department for the ICO. The relationship with 
the department is governed by a draft Management Agreement which sets 
out our responsibility to support the work of both organisations and to help 
ensure my independence and that of my office. The draft agreement also 
ensures that appropriate reporting arrangements are in place to enable the 
DCMS to monitor the expenditure of public money allocated to the ICO. 


The DCMS has policy responsibility for the DPA and its associated 
legislation. The Cabinet Office has policy responsibility for the FOIA. 


Management Board 


I have a Management Board to support me in the role of Accounting Officer. 
The Board is responsible for developing strategy, monitoring progress in 
implementing strategy, providing corporate governance and assurance 

and for managing corporate risks. The Board comprises myself, two 

Deputy Commissioners, a Deputy Chief Executive Officer and up to four 
non-executive members. My General Legal Counsel also attends Board 
meetings. 


The Board meets quarterly and considers risk management and 
operational, financial, organisational and corporate issues. It also receives 
reports from my Audit Committee and Senior Leadership Team. 


In the course of 2017-18 there were several changes to Board 
membership: 


e Rob Luke, Deputy Commissioner (Policy), left employment with the 
ICO and was paid a salary in accordance with his contract and due 
notice period. During this time Steve Wood was appointed Deputy 
Commissioner (Policy) and started in office on 12 June 2017. 


e James Dipple-Johnstone was appointed Deputy Commissioner 
(Operations) on 19 June 2017. 


e Emma Bate was appointed General Legal Counsel on 11 September 
2017. 


e Simon Entwisle, Chief Operating Officer, retired as of 15 January 2018. 
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The table below details attendance at the Management Board meetings 
during the year. 


Dates 08 May 2017 07 August 2017 06 November 2017 12 February 2018 
oe aaa z PEPA et oe D caa 
— A iarindooh seer paaccacauscenes oe olaaa ce dada O 
oo E ERT once eer nein ladon A E hone aa a 
ae O een T ne rn a odas ere 
se E ETARA RRE > ETAREN o 
pease opacos - ess a 
¡ela A A ate eN an dE A A ce A EE AENA 
a beet, Serer errr’ Sane mantener ie A A AE 
pr A E ET ve A me ds o 
oo A A: a EE e er 

Nicola Wood No Yes Yes Yes 


Audit Committee 


The Audit Committee meets quarterly and provides scrutiny, oversight and 
assurance in respect of risk control and governance. The Committee is 
chaired by Ailsa Beaton. Jane McCall is the other Non-executive Director 
and Roger Barlow is the independent member. 


The table below shows attendance of Audit Committee members at the 
meetings during the year. 


Dates 12 June 2017 18 September 2017 01 February 2018 27 April 2018 
POA os PEA EE E = O eee enone E E e 
pa a a ones de ascos e 

Jane McCall Yes Yes Yes Yes 


Both external and internal auditors attend the Audit Committee and have 
pre-meetings with Committee members. 
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The Audit Committee publishes its own Annual Report for 2017-18 which is 
available on the ICO website (www.ico.org.uk). The report states that the 
Committee is satisfied with the quality of internal and external audit and 
believes that it is able to take a measured and diligent view of the quality 
of the systems of reporting and control within the ICO. 


The Chair of the Audit Committee attends regular meetings of the Chairs 
of the Audit and Risk Committees of DCMS arms length bodies. These 
meetings include discussions with senior DCMS staff and the Comptroller 
and Auditor General, and provide opportunities to share issues of interest. 


The Audit Committee receives a quarterly report on incidents of fraud, 
security breaches and whistleblowing incidents as assurance that the 
reporting mechanisms are in place and are effective. 


Senior Leadership Team 


The Senior Leadership Team provides day-to-day leadership for the ICO 
and as such is responsible for developing and delivering against the 
Information Rights Strategic Plan. The team consisted of me and my 
Deputy Commissioners, Deputy Chief Executive Officer and General Legal 
Counsel. 


Board effectiveness 


The Management Board has previously considered its compliance with the 
Corporate governance in central government departments: Code of good 
practice 2017. The ICO does not fully comply with the Code, but the Board 
considers that there are good reasons for this given the size and nature of 
the organisation as a corporation sole. In particular: 


e the Board does not have the powers and duties of a Board in which is 
vested the ultimate authority of the organisation. This is because the 
Commissioner is the ‘corporation’; 


e the Board does not have a lead non-executive director, but given the 
size of the Board and the ICO and its responsibilities, this is not felt 
necessary; 

e non-executive members do not have a specific section in the ICO’s 
Annual Report but this is not currently considered necessary; 

e composition of the Board reflects the nature, responsibilities and size of 
the ICO; 

e the ICO does not have a Nominations and Governance Committee 
but the Board focuses on governance and has taken on the previous 
Remuneration Committee's overview of remuneration policies; and 

e in respect of an operating framework the Board operates within the 
overall system of corporate governance at the ICO. 


The Board has reviewed the information it receives and is satisfied with its 
quality. The Board is also satisfied that it is, itself, operating effectively. 
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Issues and highlights 


The ICO’s corporate governance structure has considered various issues of 
substance during the course of the year. These include: 


e The ICO's Information Rights Strategic Plan 2017-2021 and the 
strategies directly supporting this including the Regulatory Action Policy, 
the Resource and Infrastructure Strategy and the Technology Strategy. 


e Preparation for the introduction of the GDPR and the expected enactment 
of the DP Bill, including the new funding model to support data protection 
work post May 2018. 


e Planning for the UK leaving the EU. 
e Recruitment and retention of staff during a period of expansion. 
e ISO 27001 certification. 


Risk assessment 


Risks are regularly reviewed by senior managers, initially at monthly 
Steering Group meetings and then feeding into further discussion of more 
strategic risks at Management Board and Audit Committee meetings. 


The main risks identified during 2017-18 related to the changes in the data 
protection legislation resulting from the implementation of the GDPR on 25 
May 2018. The areas of concern were: 


e Uncertainty over the final wording of the Data Protection Bill and its 
enactment. 


e Preparing for the operational changes necessary to regulate the GDPR 
involving a period of rapid expansion and staff turnover in key areas of 
the office. 


e Introducing a new funding regime for data protection work. 
e Staff recruitment and retention. 


Main areas of uncertainty for the future relate to ensuring the successful 
implementation of the GDPR and DPA 2018 over the next few years and the 
delivery of the new data protection fee income regime. 


Sources of assurance 


As Accounting Officer I have responsibility for reviewing the effectiveness of 
the system of internal control, including the risk management framework. 
My review is informed by the work of the internal auditors and senior 
managers who have responsibility for the development and maintenance 

of the internal control framework, and comments made by the external 
auditors in their management letter and other reports. In their annual 
report our internal auditors have given an overall assurance that they are 
satisfied that sufficient internal audit work has been undertaken to allow 
them to draw a reasonable conclusion as to the adequacy and effectiveness 
of the ICO's risk management, governance and control processes. 
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I have been advised on the implications of the result of my review by 

the Board and the Audit Committee. I am satisfied that a plan to address 
weaknesses in the system of internal control and ensure continuous 
improvement of the system is in place. I am also satisfied that all material 
risks have been identified and that those risks are being properly managed. 


Remuneration policy 


During the financial year 2017-18 Schedule 5 to the DPA 1998 provided 
that the salary of the Information Commissioner be specified by a 
Resolution of the House of Commons. In 2008 the House resolved that the 
salary of the Information Commissioner should be £140,000 pa. And in 
March 2018 the House resolved that the salary would be £160k pa from 1 
April 2018. The salary is paid directly from the Consolidated Fund. 


Following commencement of Section 108 of the Protection of Freedoms Act 
in 2013 the remuneration of staff and other officers has been determined 
by the Information Commissioner in consultation with the Secretary of 
State and Treasury. This applied to the July 2017 pay round. 


In January 2018 the ICO was granted pay flexibility from 1 April 2018 for 
three years to enable it to review its pay and grading structure. During 
this period the ICO has the flexibility to determine the levels of pay 
necessary for it to maintain the expertise it needs to fulfil its functions as 
a supervisory authority. In exercising this flexibility the ICO is considering 
aligning ICO pay with the public sector median as a means by which 

pay parity can be achieved. This flexibility is subject to standard public 
spending principles. 


In making decisions on remuneration the Information Commissioner has 
regard to the following considerations: 


e the need to recruit, retain and motivate suitably able and qualified 
people; 

e government policies for improving the public services; 

e the funds available to the Information Commissioner; and 

e Treasury pay guidance. 


Unless otherwise stated, staff appointments are made on merit on the basis 
of fair and open competition and are open-ended until normal retiring age. 
Early termination, other than for misconduct, should result in the individual 
receiving compensation as set out in the Civil Service Compensation 
Scheme. 


Non-executive Directors are paid an annual salary of £12,000 and 
are appointed for an initial term of three years, renewable by mutual 
agreement for one further term of a maximum of three years. 
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Remuneration and staff report 


Salary and pension entitlements (audited) 


Details of the remuneration and pension interests of the Information Commissioner and her most 
senior officials are provided below. 


Remuneration (salary, bonuses, benefits in kind and pensions) 


Salary Pension 
benefits 
Benefits in | Compensation (£’000) 
kind (£’000) schemes (-nearest 
Of CANS ninia 000), Cnearest £100) a £1,000) | Total (£'000) | 
2017- 2016- 2017- 2016- 2017- 2016- 2017- 2016- 2017- 2016- 
ales 18 nc I A 1B se ee -A IO: 1B a acid 1B nn de 
Elizabeth 95-100 
Denham a (full year _ = _ 190- 175- 
Information IAS 140- TD a 23 195 180 
OTTENE aa a a yseaeiddeecateeltes 
Christopher 30-35 
Graham _ (full year _ E _ _ E _ E 5 
Information 140- on 
SN 
Simon Entwisle 75-80 145- 
Deputy CEO! (full year 95-100 0.1 0.1 — — (9) 50? 65-70 150 
AAA A ena ne ere te er ern iter are ee 
Paul Arnold 65-70 250- 95- 
Deputy CEO 85-90 (full year 0.1 E = = 162 29 255 100 
80-85) 
tres 45-50 10-15 145- 
pay (full year (full year 0.1 = = = 97 301 40-45 
Commissioner 80-8 150 
rare -85) 80-85) 
AS A 
Steve Wood 
Deputy 7 $ = _ _ 140- 105- 
Commissioner ate eat ea Ss a 145 110 
ato 
James Dipple- 
Johnstone 70-75 
Deputy (full year — 0.1 — — — 127 — 80-85 — 
Commissioner 85-90) 
E A EEE N AOA E E a 
Emma Bate 45-50 
General Legal (full year — 0.1 — — — 20 — 65-70 — 
„Counsel e D90) ee 
Ailsa Beaton 
Non-Executive 10-15 10-15 — — — — — — 10-15 10-15 


Board Member 
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Salary Pension 
benefits 
Benefits in | Compensation (£’000) 
kind (£’000) schemes (-nearest 
A E OO eer e £1,000) | Total (£'000) 
2017- 2016- 2017- 2016- 2017- 2016- 2017- 2016- 2017- 2016- 
N TE PE LIE A AS: Oe unción 18 eñiad ini A a ini 
Nicola Wood, 
Non-Executive 10-15 10-15 — — — — — — 10-15 10-15 
A 
David Cooke 5-10 
Non- Executive 10-15 (full year — = — — — — 10-15 5-10 
Board Member 10-15) 
Jane McCall 5-10 
Non- Executive 10-15 (full year — — _ — — — 10-15 5-10 
Board Member 10-15) 
Ian Watmore 5-10 
Non- Executive — (full year E — = _ — a — 5-10 
Board Member 10-15) 
Notes: 
1. Retired January 2018. 
2. 2016-17 Pension Benefit figure was re-calculated by MyCSP. It had 


been previously reported as £40-45k. 

3. Left ICO employment October 2017. 

4. Includes benefits accrued prior to ICO employment. 

5. Appointed June 2017. 

6. Appointed June 2017. 

7. James Dipple-Johnstone is a member of a Partnership pension scheme. 
We are required to disclose Employer contributions to pensions to the 
nearest £100. 

8. Appointed September 2017 


The value of pension benefits accrued during the year is calculated 
as the real increase in pension multiplied by 20 plus the real increase 
in any lump sum, less the contributions made by the individual. The 
real increases exclude increases due to inflation or any increase or 
decrease due to a transfer of pension rights. 


Salary comprises gross salary and any other allowance to the extent 
that it is subject to UK taxation. There were no bonus payments to 
Board Members in 2017-18. 


All benefits in kind relate to the ICO’s contribution to the ICO’s health 
care plan provided by BHSF. 
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Pension Benefits (audited) 


Accrued pension Real increase CETV at CETV at Real 
at pension age in pension and 31March 31 March increase in 
as at 31 March related 2018 2017 CETV 

2018 and related lump sum at 

lump sum pension age 
A A A o O A. £000 | 
Elizabeth Denham 5-10 2.5-5 83 33 38 
A 
Simon Entwisle 45-50 plusa O plus a lump 1,037 1,034! -8 
Deputy CEO lump sum of sum of 0 
ee ee rss 
Paul Arnold 20-25 plusa  7.5-10 plus a 314 200 97 
Deputy CEO lump sum of lump sum of 
A tsetse A A 
Rob Luke 20-25 plus a 2.5-5 plus a 289 218 58 
Deputy Commissioner lump sum of lump sum of 
A PEE mae a a eee ERA IA 
Steve Wood 15-20 2.5-5 195 1472 33 
Deputy Commissioner 
a e arden pnb ETN EOE N AOE nites 
James Dipple-Johnstone — — — — — 
Deputy Commissioner 
(Operations) 
Emma Bate 0-5 0-2.5 11 0 8 


General Legal Counsel 


Notes: 

1. 2016-17 CETV figure was re-calculated by MyCSP. It had been 
previously reported as £1,008k. 

2. 2016-17 CETV figure was re-calculated by MyCSP. It had been 
previously reported as £139k. 


The Cash Equivalent Transfer Value (CETV) figures are provided by 
MyCSP, the ICO's Approved Pensions Administration Centre, who have 
assured the ICO that they have been correctly calculated following 
guidance provided by the Government Actuary's Department. 


Partnership pensions 


There is one member of staff included in the list of the Commissioner's 
most senior staff who has a partnership pension. Please see note 7 to the 
table on page 55. 


Civil Service pensions 


Further details about the Civil Service pension arrangements are available 
at www.civilservice.gov.uk/pensions. 


Cash Equivalent Transfer Values 


A CETV is the actuarially assessed capitalised value of the pension scheme 
benefits accrued by a member at a particular point in time. The benefits 
valued are the member's accrued benefits and any contingent spouse's 
pension payable from the scheme. It represents the amount paid made by 
a pension scheme or arrangement to secure pension benefits in another 
pension scheme arrangement when the member leaves a scheme and 
chooses to transfer the benefits accrued in their former scheme. 
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The pension figures shown relate to the benefits that the individual has 
accrued as a consequence of their total membership of the pension 
scheme, not just their service in a capacity to which disclosure applies. 


The figures include the value of any pension benefit in another scheme or 
arrangement that the individual has transferred to the Civil Service pension 
arrangements. They also include any additional pension benefit accrued to 
the member as a result of their purchasing additional pension benefits at 
their own cost. CETV's are worked out in accordance with The Occupational 
Pensions Schemes (Transfer Values) (Amendment) Regulations 2008 

and do not take account of any actual or potential reduction to benefits 
resulting from Lifetime Allowance Tax which may be due when pension 
benefits are taken. 


Real increase in CETV 


This reflects the increase in CETV that is funded by the employer. It does 
not include the increase in accrued pension due to inflation, contributions 
paid by the employee (including the value of any benefits transferred 
from another pension scheme or arrangement) and uses common market 
valuation factors for the start and end of the period. 


Pay multiples (audited) 


Reporting bodies are required to disclose the relationship between the 
remuneration of the highest paid director in their organisation and the 
median remuneration of the organisation's workforce. The Information 
Commissioner is deemed to be the highest paid director and no member of 
staff receives remuneration higher than the highest paid Director. 


The banded remuneration of the highest paid director of the ICO in the 
financial year 2017-18 was £140k to £145k (2016-17: £140k to £145k). 
This was 5.6 times (2016-17: 5.6 times) the median remuneration of 

the workforce, which was £25,073 (2016-17 £24,911). The median total 
remuneration is calculated by ranking the annual full time equivalent salary 
as at 31 March 2018 for each member of staff. 


Staff remuneration ranged from £16,718 to £140,000 (2016-17: £16,428 
to £140,000). 


Total remuneration includes salary, non-consolidated performance- 
related pay and benefits-in-kind. It does not include severance payments, 
employer pension contributions or the CETV of pensions. 


During 2017-18, in common with other public sector organisations, the ICO 
has adhered to government pay restraint policies. 


Number of senior civil service staff (or equivalent) by band 


The Information Commissioner, the Deputy Commissioners, the Deputy 
Chief Executive Officer, the General Legal Counsel and the Non-executive 
Directors are the only staff categorised as being at a grade equivalent to 
the senior civil service. 


Staff composition 


As of the end of this financial year there were nine members of the 
Management Board of whom four were male and five female. Across the 
ICO as a whole 37% of staff were male and 63% female. 
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Sickness absence 


The average number of sick days taken per person during the year was 
3.9 days (2016-17: 6.0 days). 


Staff policies relating to the employment of disabled persons 


The ICO’s recruitment processes ensure that shortlisting managers only 
assess the applicant's skills, knowledge and experience for the job. All 
personal information is removed from applications before shortlisting. 


The ICO applies the Disability Confident standard for job applicants who 
are disabled. It has also assisted in the continued employment of disabled 
people by providing a work environment that is accessible and equipment 
that allows people to perform effectively. Our disabled staff are given 

equal access to training and promotion opportunities and adjustments are 
made to work arrangements, work patterns and procedures to ensure that 
people who are, or become, disabled, are treated fairly and can continue to 
contribute to the ICO's aims. 


Staff numbers and costs 
As at 31 March 2018 the ICO had 540 permanent staff (504.8 full time equivalents). 


Average number of full time equivalents during 2017-18 (Audited) 


Permanently Temporarily 2017-18 2016-17 
a i Toit, 
Directly employed 466 — 466 426 
Agency staff — 14 14 8.6 
o A VOE Peace e e > 

Staff costs (Audited) 

Permanently Others 2017-18 2016-17 
employed staff Total Total 

A A a £000 £000 £000 
is o a ae re Tener tee nites ; r: 
Social security costs 1,331 = 1,331 1,173 
Other pension costs 2,732 — 2,732 2,487 
Spek a a A E aa a AT a a oe 
a ee re aa Ia oie ii Sean a 


outward secondments 


Total net costs 17,963 617 18,580 16,175 


Included in staff costs above are notional costs of £190k (2016-17: 
£190k) in respect of salary and pension entitlements of the Information 
Commissioner and the associated employers national insurance 
contributions which are credited directly to the General Reserve, 
temporary agency staff costs of £508k (2016-17: £238k) and inward staff 
secondments of £109k (2016-17: Enil) as well as the amounts disclosed in 
the Remuneration Report. 
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Expenditure on consultancy 


During 2017-18 there has been expenditure totalling £38,814 on 
consultancy as defined in Cabinet Office spending controls guidance. This 
expenditure relates to external support in constructing the business case 
around ICO pay flexibility. 


Off-payroll engagements 


There were no off payroll engagements during 2017-18. 


Exit packages (audited) 


Redundancy and other departure costs are paid in accordance with the 
provisions of the Civil Service Compensation Scheme, a statutory scheme 
made under the Superannuation Act 1972. Exit costs are accounted for 
in full in the year of departure. Where the Information Commissioner has 
agreed early retirements the additional costs are met by the Information 
Commissioner and not by the Principle Civil Service Pension Scheme 
(PCSPS). Ill health retirement costs are met by the pension scheme and 
are not included in the table above. 


There were no compulsory redundancies in 2017-18 (2016-17: none) and 
no other exit packages. 


Ex-gratia payments made outside of the provisions of the Civil Service 
Compensation Scheme are agreed directly with the Treasury. 


Trade union facility time 


Relevant union officials 


Number of employees who were relevant union 
officials during the relevant period 17 


Full time equivalent employee number 16.6 


Percentage of time spent on facility time 


0% 0 passist 
2 sn 
A n D 
e vaamonnennratmsomnnnagton 


Percentage 0.11% 


Paid trade union activities 


Time spent on trade union activities as a 
percentage of total paid facility time hours 20% 
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Regularity of expenditure (audited) 


There are no regularity of expenditure issues. 


Fees and charges (audited) 


Information on fees collected from data controllers who notify their 
processing of personal data under the DPA is provided in the Financial 
Performance Summary as part of the performance report earlier in this 
document, and further information on data protection fees is also set out in 
notes 1.5 and 2 to the financial statements. 


Remote contingent liabilities 


Please see note 16 to the accounts. 
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Long-term expenditure trends 


The ICO is currently facing the challenge of regulating new data protection 
legislation; the GDPR and DPA 2018. This is a major change in data 
protection legislation which has a large impact, not only on the duties and 
responsibilities of data controllers and the rights of individual citizens, but 
also on how the ICO works as a regulator. 


From 25 May this year a new data protection fee structure was introduced 
which allows the ICO to better match fee income to the cost of regulation. 
Fee income is expected to increase to over £32,000k this financial year, 
and to approximately £34,500k by 2020-21. 


Grant in aid for our freedom of information work is expected to remain at 
£3,750k per annum. 


Elizabeth Denham 
10 July 2018 
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The Certificate and Report of the 
Comptroller and Auditor General 
to the Houses of Parliament 


Opinion on financial statements 


I certify that I have audited the financial statements of Information 
Commissioner's Office for the year ended 31 March 2018 under the Data 
Protection Act 1998. The financial statements comprise: the Statements of 
Comprehensive Net Expenditure, Financial Position, Cash Flows, Changes in 
Taxpayers’ Equity; and the related notes. These financial statements have 
been prepared under the accounting policies set out within them. I have 
also audited the information in the Accountability Report that are described 
in that report as having been audited. 


In my opinion: 


e the financial statements give a true and fair view of the state of 
Information Commissioner's Office affairs as at 31 March 2018 and of net 
expenditure for the year then ended; and 


e the financial statements have been properly prepared in accordance with 
the Data Protection Act 1998 and Secretary of State directions issued 
thereunder. 


Opinion on regularity 


In my opinion, in all material respects the income and expenditure 
recorded in the financial statements have been applied to the purposes 
intended by Parliament and the financial transactions recorded in the 
financial statements conform to the authorities which govern them. 


Basis of opinions 


I conducted my audit in accordance with International Standards on 
Auditing (ISAs) (UK) and Practice Note 10 ‘Audit of Financial Statements 
of Public Sector Entities in the United Kingdom’. My responsibilities under 
those standards are further described in the Auditor’s responsibilities 
for the audit of the financial statements section of my certificate. 

Those standards require me and my staff to comply with the Financial 
Reporting Council’s Revised Ethical Standard 2016. I am independent 

of the Information Commissioner’s Office in accordance with the ethical 
requirements that are relevant to my audit and the financial statements 
in the UK. My staff and I have fulfilled our other ethical responsibilities 
in accordance with these requirements. I believe that the audit evidence 
I have obtained is sufficient and appropriate to provide a basis for 

my opinion. 


Responsibilities of the Board and Accounting Officer for the financial statements 


As explained more fully in the Statement of Information Commissioner's 
Responsibilities, the Accounting Officer is responsible for the preparation 
of the financial statements and for being satisfied that they give a true and 
fair view. 


Auditor’s responsibilities for the audit of the financial statements 


My responsibility is to audit, certify and report on the financial statements 
in accordance with the Data Protection Act 1998. 
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An audit involves obtaining evidence about the amounts and disclosures 
in the financial statements sufficient to give reasonable assurance that 
the financial statements are free from material misstatement, whether 
caused by fraud or error. Reasonable assurance is a high level of 
assurance, but is not a guarantee that an audit conducted in accordance 
with ISAs will always detect a material misstatement when it exists. 
Misstatements can arise from fraud or error and are considered material 
if, individually or in the aggregate, they could reasonably be expected 
to influence the economic decisions of users taken on the basis of these 
financial statements. 


As part of an audit in accordance with ISAs, I exercise professional 
judgment and maintain professional scepticism throughout the audit. 
I also: 


e identify and assess the risks of material misstatement of the financial 
statements, whether due to fraud or error, design and perform audit 
procedures responsive to those risks, and obtain audit evidence that 
is sufficient and appropriate to provide a basis for my opinion. The 
risk of not detecting a material misstatement resulting from fraud is 
higher than for one resulting from error, as fraud may involve collusion, 
forgery, intentional omissions, misrepresentations, or the override of 
internal control. 


e obtain an understanding of internal control relevant to the audit in order 
to design audit procedures that are appropriate in the circumstances, but 
not for the purpose of expressing an opinion on the effectiveness of the 
Information Commissioner's Office internal controls. 


e evaluate the appropriateness of accounting policies used and the 
reasonableness of accounting estimates and related disclosures made by 
management. 


e conclude on the appropriateness of management's use of the going 
concern basis of accounting and, based on the audit evidence obtained, 
whether a material uncertainty exists related to events or conditions that 
may cast significant doubt on the Information Commissioner's Office's 
ability to continue as a going concern. If I conclude that a material 
uncertainty exists, I am required to draw attention in my auditor's 
report to the related disclosures in the financial statements or, if such 
disclosures are inadequate, to modify my opinion. My conclusions are 
based on the audit evidence obtained up to the date of my auditor's 
report. However, future events or conditions may cause the entity to 
cease to continue as a going concern. 


e evaluate the overall presentation, structure and content of the financial 
statements, including the disclosures, and whether the consolidated 
financial statements represent the underlying transactions and events in 
a manner that achieves fair presentation. 


I communicate with those charged with governance regarding, among 
other matters, the planned scope and timing of the audit and significant 
audit findings, including any significant deficiencies in internal control that 1 
identify during my audit. 


In addition, 1 am required to obtain evidence sufficient to give reasonable 
assurance that the income and expenditure reported in the financial 
statements have been applied to the purposes intended by Parliament and 
the financial transactions conform to the authorities which govern them. 
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Other Information 


The Accounting Officer is responsible for the other information. The other 
information comprises information included in the Performance Report and 
Accountability Report, other than the parts of the Accountability Report 
described in that report as having been audited, the financial statements and 
my auditor's report thereon. My opinion on the financial statements does 

not cover the other information and 1 do not express any form of assurance 
conclusion thereon. In connection with my audit of the financial statements, 
my responsibility is to read the other information and, in doing so, consider 
whether the other information is materially inconsistent with the financial 
statements or my knowledge obtained in the audit or otherwise appears to 
be materially misstated. If, based on the work I have performed, I conclude 
that there is a material misstatement of this other information, I am required 
to report that fact. I have nothing to report in this regard. 


Opinion on other matters 


In my opinion: 


e the parts of the Accountability Report to be audited have been properly 
prepared in accordance with Secretary of State directions made under 
the Data Protection Act 1998; 


e in the light of the knowledge and understanding of the entity and its 
environment obtained in the course of the audit, I have not identified any 
material misstatements in the Performance Report or the Accountability 
Report; and 

e the information given in Performance Report and Accountability Report 
for the financial year for which the financial statements are prepared is 
consistent with the financial statements. 


Matters on which I report by exception 


I have nothing to report in respect of the following matters which I report 
to you if, in my opinion: 


e adequate accounting records have not been kept or returns adequate for 
my audit have not been received from branches not visited by my staff; 
or 


e the financial statements and the parts of the Accountability Report to be 
audited are not in agreement with the accounting records and returns; or 

e I have not received all of the information and explanations I require for 
my audit; or 

e the Governance Statement does not reflect compliance with HM 
Treasury's guidance. 


Report 


I have no observations to make on these financial statements. 


Sir Amyas C E Morse 
Comptroller and Auditor General 17 July 2018 


National Audit Office 

157-197 Buckingham Palace Road 
Victoria 

London 

SW1W 9SP 
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Statement of comprehensive net expenditure 
for the year ended 31 March 2018 


2017-18 2016-17 

Note £000 £000 £000 £000 
Expenditure 
Staff costs 3 18,580 16,175 
Other expenditure 8,431 7,176 
Depreciation and other non-cash costs 4 445 8,876 1,745 8,921 
Total expenditure 27,456 25,096 
Income 
Income from activities 5a (21,838) (20,157) 
Net expenditure 5,618 4,939 
Other comprehensive expenditure 
Net gain/(loss) on revaluation of ADS (435) 
POP CRY A DI gee A E NOS 
Total comprehensive expenditure 5,941 4,504 


for the year ended 31 March 


Note: 
All income and expenditure relates to continuing operations. 


The notes on pages 70 to 84 form part of these financial statements. 
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Statement of financial position 
as at 31 March 2018 


31 March 2018 31 March 2017 

Note £000 £000 £000 £000 
< ae ae TF E A E E E E S E E E E A NE EA A EN 
a a rea O aaa gr ee AAN OEE EN 
a Bae Pouce So Rag ane AP N E da i S AT Ce eRe E 
Total non-current assets 1,806 1,826 
Current assets 
eee eee ee ala a A N o E 
a er ae ee ener eRe ETOH: de E TE ee a A E E o o ROR eRe 
Total current assets 6,389 4,707 
Total assets 8,195 6,533 
Current liabilities 
ee a a ay a E E E E, n A T E EE e Re gar ah RE nea) : 
i o A E oo > IO : E EE A o Ae a 4 
o 3,066 3,632 
Non-current liabilities 
sa fe West ied eee tn WAC O AS b A O ; ons de dann aa ; 
Assets less liabilities 2,425 2,982 
Taxpayers’ equity 
E o aa EA TALEE 
ae A a SR RIE AE ee Sea eee ete eee ene se = eRe E peer 

2,425 2,982 


xA 


Elizabeth Denham 
10 July 2018 
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Statement of cash flows 
for the year ended 31 March 2018 


2017-18 2016-17 

Note £7000 £7000 
ee aca ind A o e de SOR 
ee A : 2 = ae SEE E an EET ao) : 
a e MEN e ar ae ae 
Ber ee : ia E AEA ATA R A REN Cet A ida o a 
ee a aren o aves ae DEE MU eR ums rine ert uc Cae 
ee oR EPR Lae al gre Ure WET Re TP aE Der E T oo : 5 SO a a 
Net cash outflow from operating activities (4,996) (1,880) 
Cash flows from investing activities 
E a EE : Re ae o ES 
E ee a a ae gece A EIE E E an ERR AT awe AR RARE OR eT ENO Baa a Serer ENG Ge 
Net cash outflow from investing activities (1,004) (678) 
Cash flows from financing activities 
o ge A nec o : ES e cc seer 
Net cash flows from financing activities 5,195 3,790 
Net increase/(decrease) in cash and cash equivalents during 
the year before adjustment for receipts and payments to the 
Consolidated Fund (805) 1232 
ae oe ee Wn ae ee = See eee O pon 
of the Information Commissioner's activities 2,132 2,384 
ES a ee ee ae ee ` ose ae bat a ree her ree eer er rere as eres poe A 
Net increase/(decrease) in cash and cash equivalents in the year (706) 821 
after adjustment for receipts and payments to the consolidated fund 
Cash and cash equivalents at the start of the year 3,629 2,808 
Cash and cash equivalents at the end of the year 10 2,923 3,629 


Note: The notes on pages 70 to 84 form part of these financial statements. 
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Statement of changes in taxpayers’ equity 


for the year ended 31 March 2018 


Revaluation General Total 
reserve reserve reserves 
Note £000 £000 £000 
Balance at 31 March 2016 105 3,401 3,506 
Changes in tax payers’ equity 2016-17 
Grant in aid from the DCMS LS — 3,790 3,790 
Transfers between reserves ees (217) DENN 217 DON IE = 
Comprehensive expenditure for the year 435 (4,939) (4,504) 
Non-cash charges - Information Commissioner's salary costs 3 = 190 190 
Balance at 31 March 2017 323 2,659 2,982 
Changes in tax payers’ equity 2017-18 
Grant in aid from the DCMS — 5,195 57195 
Transfers between reserves — — — 
Comprehensive expenditure for the year (323) (5,618) (5,941) 
Non-cash charges - Information Commissioner's salary costs — 190 190 
Balance at 31 March 2018 — 2,426 2,426 


Note: The notes on pages 70 to 84 form part of these financial statements. 
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Notes to the accounts 


1. Statement of accounting policies 


These financial statements have been prepared in accordance with 
the 2017-18 FReM issued by HM Treasury. The accounting policies 
contained in the FReM apply International Financial Reporting 
Standards (IFRS) as adapted or interpreted for the public sector 
context. Where the FReM permits a choice of accounting policy, the 
accounting policy which is judged most appropriate to the particular 
circumstances of the Information Commissioner for the purpose of 
giving a true and fair view has been selected. The particular policies 
adopted by the Information Commissioner are described below. 
They have been applied consistently in dealing with items that are 
considered material to the accounts. 


1.1 Accounting convention 
These accounts have been prepared under the historical cost 
convention. 


1.2 Disclosure of IFRSs in issue but not yet effective 
The Information Commissioner has reviewed the IFRS's in issue but 
not yet effective (as below), and has determined that there is a new 
standard that is likely to have a significant impact. 


Standard eee A aerate vers oommusncumoes 
TERS 9 - Financial Instruments Not applicable 
a aja Not applicable 

Cona weu on er eter ore itn eee 
‘IFRS 16 - Leases  =———™” Due to be implemented in January 


2019. This standard will impact 
on the accounting treatment of 
any current leases and will have a 
material effect on the accounts of 
the ICO. All leases will be required 
to be presented on the Statement 
of Financial Position except those 
considered out of scope. 
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Grant in aid 

Grant in aid is received from the DCMS to fund expenditure on 
freedom of information work, and from the Home Office to fund 
electronic identification and trust services regulation. This is credited 
to the General Reserve on receipt. In 2017-18 the ICO received 
additional Grant in aid of £1.4m from DCMS to cover ICO expansion 
plans in relation to the GDPR. This will be re-paid in 2018-19 by way 
of a reduction in our grant in aid. 


Cash and cash equivalents 

Cash and cash equivalents recorded in the Statement of Financial 
Position and Statement of Cash Flows include cash in hand, deposits 
held at call with banks, other short-term highly liquid investments and 
bank overdrafts. 


Income from activities and Consolidated Fund income 

Income collected under the DPA is surrendered to the DCMS as 
Consolidated Fund income, unless the DCMS (with the consent of the 
Treasury) has directed otherwise, in which case it is treated as Income 
from activities. There are three main types of income collected: 


Data protection notification fees 

During 2017-18 fees were collected from annual notification fees paid 
by data controllers required to notify their processing of personal 
data under the DPA 1998. The Commissioner had been directed to 
retain the fee income collected to fund data protection work and this 
is recognised in the Statement of Comprehensive Net Expenditure as 
income. At the end of the year the Commissioner may carry forward 
sufficient fee income as defined in the draft Management Agreement 
with DCMS. Any fees in excess of these limits are paid over to the 
Consolidated Fund. 


Civil monetary penalties 

The Commissioner can impose civil monetary penalties of up to £500k 
for serious breaches of the DPA 1998 or PECR. A penalty can be 
reduced by 20% if paid within 30 days of being issued. 


The Commissioner does not take action to enforce a civil monetary 
penalty unless, and until, the period specified in the notice as to when 
the penalty must be paid has expired and the penalty has not been 
paid, all relevant appeals against the monetary penalty notice and any 
variation of it have either been decided or withdrawn, and the period 
for the data controller to appeal against the monetary penalty and any 
variation of it has also expired. 


Civil monetary penalties collected by the Commissioner are 

recognised on an accruals basis when issued. They are paid over 

to the Consolidated Fund net of any early payment reduction when 
received. Civil monetary penalties are not recognised in the Statement 
of Comprehensive Net Expenditure but are treated as an asset and a 
liability in the Statement of Financial Position. 


The amounts recognised are regularly reviewed and subsequently 
adjusted in the event that a civil monetary penalty is varied, cancelled, 
impaired or written off as irrecoverable. Amounts are written off as 
irrecoverable on the receipt of legal advice. Legal fees incurred in 
recovering debts are borne by the ICO. 
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1.6 


1.7 


1.8 


1.9 


Sundry receipts 

The Commissioner has been directed to retain certain sundry receipts 
such as reimbursed travel expenses, conference fees and recovered 
legal costs. This is recognised in the Statement of Comprehensive Net 
Expenditure as income. 


The Commissioner has interpreted the FReM to mean that she is 
acting as a joint agent with the DCMS, and that income not directed 
to be retained as Income from Activities falls outside of normal 
operating activities and are not reported through the Statement of 
Comprehensive Net Expenditure, but disclosed separately within the 
notes to the accounts. This included receipts such as bank interest, 
which is paid to the Consolidated Fund. 


Notional costs 

The salary and pension entitlement of the Information Commissioner 
are paid directly from the Consolidated Fund and are included within 
staff costs and then reversed with a corresponding credit to the General 
Reserve. 


Pensions 
Past and present employees are covered by the provisions of the 
PCSPS. 


Property, plant and equipment 

Assets are classified as property, plant and equipment if they are 
intended for use on a continuing basis, and their original purchase 
cost, on an individual basis, is £2,000 or more; except for laptop and 
desktop computers which are capitalised even when their individual 
cost is below £2,000. 


Property, plant and equipment (excluding assets under construction) 
are valued under a depreciated historical cost basis. This is a change 
from previous years. Depreciated historical cost basis is a reasonable 
proxy for current value in existing use or fair value for assets that 
have short useful lives or low values. 


At each balance sheet date the carrying amounts of property, plant 
and equipment and intangible assets are reviewed to determine 
whether there is any indication that those assets have suffered an 
impairment loss. If any such indication exists the fair value of the 
asset is estimated in order to determine the impairment loss. Any 
impairment charge is recognised in the Statement of Comprehensive 
Net Expenditure account in the year in which it occurs. 


Depreciation 

Depreciation is provided on property, plant and equipment on a 
straight-line basis to write off the cost or valuation evenly over the 
asset’s anticipated life. A full year’s depreciation is charged in the year 
in which an asset is brought into service. No depreciation is charged in 
the year of disposal. The principal lives adopted are: 


Information technology: between five and 10 years 
Plant and machinery: between five and 10 years 
Leasehold improvements: over the remainder of the property lease 
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1.10 Intangible assets and amortisation 
Intangible assets are stated at the lower of replacement cost and 
recoverable amount. Computer software licences and their associated 
costs are capitalised as intangible assets where expenditure of £2,000 
or more is incurred. Software licences are amortised over their useful 
economic life which is estimated as four years or the length of the 
contract, whichever is the shorter term. 


1.11 Operating leases 
Amounts payable under operating leases are charged to the 
Comprehensive Net Expenditure Account on a straight-line basis over 
the lease term, even if the payments are not made on such a basis. 


1.12 Provisions 
Provisions are recognised when there is a present obligation as a 
result of a past event where it is probable that an outflow of resources 
will be required to settle the obligation and a reliable estimate of the 
amount of the obligation can be made. 


1.13 Value added tax 
The Information Commissioner is not registered for VAT as most 
activities of the ICO are outside of the scope of VAT and fall below 
the registration threshold. VAT is charged to the relevant expenditure 
category, or included in the capitalised purchase cost of non-current 
assets. 


1.14 Segmental reporting 
The policy for segmental reporting is set out in note 2 to the 
financial statements. 
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2. Analysis of net expenditure by segment 


Data 
protection 


Freedom of Other grant in 


information 


aid 


Income 
Net expenditure 


(21,838) 
423 


Data 
protection 


Freedom of Other grant in 


information 


aid 


(21,838) 
5,618 


Income 


Net expenditure 


(20-157) 
1,189 


S730 


Expenditure is classed as administrative expenditure except those 
costs associated with readiness for legislative changes which have 


been classified as programme. 


The analysis above is provided for fees and charges purposes and for 


the purpose of IFRS 8: Operating Segments. 


The factors used to identify the reportable segments of data 
protection and freedom of information are that the Commissioner's 
main responsibilities were contained within the DPA 1998 and FOIA, 
and funding during 2017-18 and in prior years was provided for 

data protection work by collecting an annual registration fee from 
data controllers under the DPA 1998, whilst funding for freedom of 
information is provided by a grant in aid from the DCMS. Other grant 
in aid related to a £1,400k advance from DCMS in readiness for GDPR 
and £45k for electronic and trust services regulation. 


The data protection notification fee was set by the Secretary of 
State, and in making any fee regulations under section 26 of the DPA 
1998, as amended by paragraph 17 of Schedule 2 to the FOIA, the 
Secretary of State had to have regard to the desirability of securing 


that the fees payable to the Commissioner were sufficient to offset the 


expenses incurred by the Commissioner, the Information Tribunal and 


any expenses of the Secretary of State in respect of the Commissioner 


of the Tribunal, and any prior deficits incurred, so far as attributable 


to the functions under the DPA 1998. 


These accounts do not include expenses incurred by the Information 
Tribunal or the Secretary of State in respect of the Commissioner, and 
therefore cannot be used to demonstrate that data protection fees 
offset expenditure on data protection functions, as set out in the DPA 
1998. Expenditure is apportioned between the data protection and 
freedom of information work on the basis of costs recorded in the 
ICO’s accounting system. This allocates expenditure to various cost 
centres across the ICO. A financial model is then applied to apportion 
expenditure between data protection and freedom of information 

on an actual basis where possible, or by way of reasoned estimates 


where expenditure is shared. 


(20,157) 
4,939 
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Staff numbers and related costs 


Staff costs comprise: 


2017-18 
Total 


Permanently 
employed staff Others 
£000 £000 

ve aad oe E E eee CO E Rene ee Srey O RTCA Te 
Se ae ee Nee A T E O 
E aera en nen E a ee a BR rir aie nee O 
Sub-total 17,963 617 
Less recoveries in respect of outward me = 
secondments 
Total net costs 17,963 617 


Included in the staff costs above are notional costs of £190k 
(2016-17: £190k) in respect of salary and pension entitlements of 
the Information Commissioner and the associated employers national 
insurance contributions which are credited directly to the General 
Reserve, temporary agency staff costs of £508k (2016-17: £238k) 
and inward staff secondments of £109k (2016-17: Enil) as well as the 
amounts disclosed in the Remuneration Report 


Average number of persons employed 
The average number of whole time equivalent persons employed 
during the year was: 


Permanently Temporarily 
employed employed 


staff staff 
Se ceed o a ee aan 
Gene A aren nn eee SR rE eer va 
Total employed 466 14 


Pension arrangements 

The PCSPS is an unfunded multi-employer defined benefit scheme. 
The ICO is unable to identify its share of the underlying assets and 
liabilities. The Scheme Actuary valued the scheme at 31 March 2015. 
Details may be found in the resource accounts of the Cabinet Office 
Civil Superannuation (www.civilservice.gov.uk/pensions). 


For 2017-18 employers contributions of £2,643k (2016-17: £2,392k) 
were payable to the PCSPS at one of four rates in the range 20-24.5% 
of pensionable pay, based on salary bands. The Scheme's Actuary 
reviews employer contributions usually every four years following 

a full Scheme valuation. The contribution rates are set to meet 

the cost of benefits accruing during 2017-18 to be paid when the 
member retires and not the benefits paid during the period to existing 
pensioners. 
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Employees can opt to open a partnership account, a stakeholder 
pension with an employer contribution. Employers’ contributions of 
£88k (2016-17: £78k), were paid to one or more of a panel of three 
appointed stakeholder pension providers. Employers’ contributions 
are age related and range from 8% to 14.8% of pensionable pay. In 
addition, employers contributions of £2.9k (2016-17: £2.5k), 0.5% 
of pensionable pay, were payable to the PCSPS to cover the cost 

of future provision of lump sum benefits on death in service and ill 
health retirement of these employees. 


Contributions due to partnership pension providers at the Statement 
of Financial Position date were £8.7k (2016-17 £6.6k). Contributions 
prepaid at the date were nil (2016-17 nil). 

Pension costs include notional employers’ contributions of £34,300k 
(2016-17: £23k) in respect of notional costs in respect of the 
Commissioner. 


No individuals retired early on health grounds during the year. 


4. Other expenditure 


2017-18 2016-17 
£000 £7000 £000 £7000 
ee a a Be : sree lee a a o E ETT : E a EE : = e ia 
a oo i eee nee ET 
a A Re ne oe ane ACME 
a. a a oo o a ES O AO z E CO E A EET I 
S nen apenas peer orn youn Wee ae eR RE ene ee E de A 
A (cetera ener ASE Rae nee Ae es ee SN Rn a 
O an a See eee 
O a A E : ae EA 
E a OSG ans dee eng ede SEM nee ACE 
ee Gee a neg trai SEN Ne rene 
a ES A a aS is : - O 7 : za od Ra E, 
E a Y E A 
O E : a ea a E a E R AEE E A E 
a ENE A P A A VRC eR eA RTE cae enna han earn 
8,431 7,176 

Non-cash items 
Be ep eg A ee ee ene SEER TON 
eee ae SRSA E EE ETRE E OO : aa Steere ee 
ee eee Fos Gg ECE US us bo Sua Oana HE aTbucoae E de oooO : Poe anes oooO 
445 1,746 
Total expenditure 8,876 8,922 
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Sundry receipts 


Consolidated Fund income 


330 


andres TIC ALO EVR ROW EIS ACEI carte O ce tc CU mR EIN ra roe aR Mn UR a iO He 


Marketing income 


Income payable to Consolidated Fund 
Balances held at the start of the year 


Payments to the Consolidated Fund 


Balances held at the end of the year 
(note 11) 


2017-18 
£7000 £000 
21,300 
538 
21,838 
2017-18 
£”'000 £'000 
21,300 
(21,300) 
4,810 
(501) 
(429) 
3,880 
101 
23 
41 
330 
43 
538 
(538) 
3,880 
1,092 
3,880 
(27038) 
2,939 


(2,795) 
1,092 
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As set out in note 1.5, income payable to the Consolidated Fund does 
not form part of the Statement of Comprehensive Net Expenditure. 
Amounts retained under direction from the DCMS with the consent of 
the Treasury are treated as Income from Activities within the Statement 
of Comprehensive Net Expenditure. The amounts receivable at 31 March 
2018 were £2,343k (31 March 2017:£595k) and the amounts payable 
were £2,939k (31 March 2017:£1,092k). 


6. Property, plant and equipment 


Assets 
Information Plant and Leasehold under 2018 2017 
technology machinery improvements construction Total Total 
£'000 £'000 £'000 £'000 £'000 £'000 
ae ee ae an A e AN a 
UE A E oF Ee Tere i = See ean ee ev eee tee oe seed noe ates et 
Rae cera? AA e eee T : See wee ae Ree nea: es Seer ae eee F 
m E E E a 
a ae ee A E arene a ee aa 
do a E a OS Eee ner Seca oon Sree E 
A a 
At 31 March 2018 7,488 257 27375 621 10,741 11,102 
Depreciation 
a PEET EO EEA ad re nah ee a e oe seat peo rag ge Atha dida IEA a 
Sica oe Cee Se er ie en oo ; ea E = Sere eee a 
Se ES A i Ta a Fn O ae 
Sa cee oe Ne carrier a EE E a PE SES 
AA RES AA RO AS A 
NeT book valus al 835 157 45 621 1,658 1,582 


31 March 2018 
Owned 835 157 45 621 1,658 1,582 


Net book value at 
31 March 2018 835 5 45 621 1,658 1,582 
Property, plant and equipment (excluding assets under construction) 
is valued under a depreciated historical cost basis as a proxy for 
current value in existing use or fair value for assets that have short 
useful lives or low values. This is considered an appropriate model for 
all classes of assets as the majority have useful lives of 5 years or are 
considered an immaterial value. 


78 Financial statements: Notes to the accounts 


Intangible assets 


Reclassifications 
At 31 March 2018 


Amortisation 


Disposals 
At 31 March 2018 


Net book value at 31 March 2018 


Asset financing 


Net book value at 31 March 2018 


Financial instruments 
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Software Assets under 2018 2017 

licences construction Total Total 

£7000 £'000 £’000 £000 

N Ree Seng ene ne iain ae 
23 — 23 10 

3,403 — 3,403 3,380 

OEE ETENN a o RT 
119 — 119 822 

3,255 — 3,255 3,136 

148 — 148 244 

A A A i a aay ae ES fi 
148 — 148 244 


As during 2017-18 the cash requirement of the Information 
Commissioner was met through fees collected under the 

DPA 1998 and grant in aid provided by the DCMS, financial 
instruments play a more limited role in creating and managing 
risk than would apply to a non-public sector body. 


The majority of financial instruments relate to contracts to buy 
non-financial items in line with the Information Commissioner's 
expected purchase and usage requirement and the Information 
Commissioner is therefore exposed to little credit, liquidity or 


market risk. 
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Q. 


10. 


Trade receivables and other 
current assets 


31 March 
2018 


31 March 
2017 


Prepayments and accrued income 


Sub-total 

Consolidated Fund receipts due DUDA 
less amounts impaired (note 5b) (429) 
Split 


Bodies external to government 


Cash and cash equivalents 


31 March 
2018 
£000 
nea ; = Sl Ar e E E R y : E one 
Net change in cash and cash equivalent (706) UN 
balances 
Balance at 31 March 2,923 
Split 
a os ES Bas ie a e E k a A i a PEETI ERA ETE Be g E ae 
O ee ere 
27928 


31 March 
2017 
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31 March 
2018 


31 March 
2017 


Accruals and deferred income 
Sub-total 


Bodies external to government 


The amount payable to the sponsor department represents the 
amount which will be due to the Consolidated Fund when all of 


the income due is collected. 


Provision for liabilities and charges 


Early departure costs 


Provision utilised in year 
Balance at 31 March 


Analysis of expected timing of 
discounted flow: 


2017-18 2016-17 
£000 £000 
54 63 

(9) (9) 

45 54 


Early departure costs 


Later than one year and not later than 
five years 


Later than five years 


Dilapidations 
2017-18 2016-17 
£7000 £000 
605 605 
605 605 

Dilapidations 
2017-18 2016-17 
£000 £000 
605 605 
605 605 


2017-18 2016-17 
£000 £000 
9 9 

36 45 

45 54 
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Dilapidations provision 

The lease on the ICO main premises at Wycliffe House, Wilmslow 
expired on 1 January 2017 and a new lease was signed with a 
break clause in five years. A provision has been made based upon 
the assessment by GVA, commercial property advisers, dated 
January 2013. 


Early departure costs 


The additional cost of benefits, beyond the normal PCSPS benefits in 
respect of employees who retire early, are provided for in full when 
the early departure decision is approved by establishing a provision 
for the estimated payments discounted by the Treasury discount rate 
of 0.1% (2016-17: 0.24%). The estimated payments are provided by 
MyCSP. 


13. Capital commitments 


There were no capital commitments in the year ending 31 March 2018 
(2016-17 Enil). 


14. Commitments under operating leases 


The ICO leases properties in Wilmslow, Wycliffe House and King’s 
Court, under non-cancellable operating lease agreements. The lease 
in Wycliffe House allows for a break clause on 01 January 2022 

and King’s Court on 09 August 2022. Both leases have no option to 
purchase and no specific renewal terms. Renewals are negotiated 
with the lessor in accordance with the provisions of the individual 
lease agreements. 


31 March 31 March 
2018 2017 

Total future minimum lease payments ; ; 
under operating leases are: 009 = 008 

Buildings 

Not later than one year 702 384 
Later than one year and not later than 2,970 2,311 
hve a eg ae S 
Later than five years = = 
Spo 2,695 


The minimum lease payments are determined from the relevant lease 
agreements and do not reflect possible increases as a result of market 
based reviews. The lease expenditure charged to the Statement of 

Comprehensive Net Expenditure during the year is disclosed in note 4. 
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15. Related party transactions 


The Information Commissioner confirms that she had no personal 
business interests which conflict with her responsibilities as 
Information Commissioner. 


During the financial year 2017-18 the DCMS was a related party to 
the Information Commissioner. 


During the year no related party transactions were entered into, with 
the exception of providing the Information Commissioner with grant 
in aid and remitting receipts collected on behalf of the Consolidated 
Fund. Details of the Commissioner’s remuneration and pension 
entitlement are disclosed in the remuneration report earlier in the 
document and note 3 to the Financial Statement. 


None of the key managerial staff or other related parties has 
undertaken any material transaction with the Information 
Commissioner during the year. 


16. Contingent Liabilities 


There are no contingent liabilities at 31 March 2018 
(31 March 2017: none). 


17. Events after the reporting period 


There were no events between the Statement of Financial Position 
date and the date the accounts were authorised for issue, which is 
interpreted as the date of the Certificate and Report of the Comptroller 
and Auditor General. 


The Accounting Officer authorised these financial statements for issue 
on 17 July 2018. 
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